The electric grid is more cyber vulnerable than has been acknowledged

Feb. 19, 2016

George Cotter (formerly Chief Scientist for the National Security Agency) and I briefed the FERC Commissioners on cyber threats and cyber incidents affecting the grid.  The cyber security regulations fail to include a requirement that utilities (or nuclear plants) remove malware found in their networks.  

February 9, 2016: NERC issued an alert titled, “Mitigating Adversarial Manipulation of Industrial Control System as Evidenced by Recent International Events.” Also on February 9: The Obama administration announced its Cybersecurity National Action Plan.  Writing on behalf of the Plan in a Wall Street Journal op-ed opinion, the President characterized cyber threats as an “urgent danger” to our economic and national security and stated that adversaries are probing for vulnerabilities in the networks controlling our power grid.

January 28-29, 2016: George Cotter (formerly Chief Scientist for the National Security Agency) and I briefed the FERC Commissioners on cyber threats and cyber incidents affecting the grid.  The briefing slides, which are part of the FERC public record (Docket RM15-14-000), are available at Exercise of FERC Authority for Cybersecurity of the North American Electric Grid.

One matter we flagged for the Commissioners was a glaring omission in cyber security regulations for the electric utilities (NERC CIPs) and the nuclear utilities (Regulatory Guide 5.71/NEI-0809). These regulations fail to include a requirement that utilities (or nuclear plants) remove malware found in their networks.  This is astounding, considering that BlackEnergy—malware which almost certainly facilitated the recent cyber attacks on the Ukrainian electric grid— has also been found in the US electric grid.  This hole in the regulations certainly won’t help utilities’ prospects in the cyber insurance market.

I will speak about industrial control system (ICS) cyber security issues including regulatory deficiencies and cyber insurance considerations in keynote addresses to the National Academy of Science, Engineering, and Medicine (February 23, in Washington, D.C) and to the Business Insurance Risk Conference (March 23, in New York).

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.